Facts

In 2020, Accellion, a software company that provides third-party file transfer services to clients, disclosed to its 300 clients that criminals breached its client-submitted data via a vulnerability in its File Transfer Application (FTA). In January 2021, Accellion informed Kroger Co., Accellion's client at the time, that its files and information were impacted by the data breach of Accellion's FTA platform. In February 2021, Kroger publicly confirmed that the personal information of approximately 3.82 million Kroger pharmacy customers, along with certain associates' HR data and certain monetary service records, was compromised in the Accellion data breach. The criminals responsible for the breach were associated with a Clop ransomware gang and demanded payment in exchange for the return and deletion of the client's files. The personal information obtained included names, emails, addresses, phone numbers, Social Security numbers, bank account information, insurance information, and prescription information of Kroger customers and employees. Later in 2021, several customers in California and other states who provided Kroger with their personal information individually and on behalf of all others similarly situated brought a civil class action lawsuit against Accellion, Inc. and The Kroger Co. The parties engaged in mediation with the Honorable Judge Jay C. Gandhi of JAMS, which resulted in a settlement agreement.

PLAINTIFFS' CONTENTIONS: Plaintiffs contended that defendants were aware of the data shortcomings in Accellion's FTA product yet continued to use FTA, thus putting Kroger's customers and employees at risk of being impacted by a breach. Further, plaintiffs maintained that these failures ensured that the services and products used by Kroger fell short of their obligations and the customer's reasonable expectations for data privacy and jeopardized the security of plaintiffs' personal information. Plaintiffs further contended that as a result of the foreseeable breach, customers faced a substantially increased risk of identity theft and fraud and now must take immediate and time-consuming action to protect themselves from such identity theft and fraud. Finally, plaintiffs alleged that Accellion and Kroger were aware of or should have been aware of the deficiencies in its legacy file transfer product and failed to adequately protect their personal information entrusted to them by Kroger.

DEFENDANTS' CONTENTIONS: Defendants denied any and all wrongdoing, fault, violation of the law, or liability of any kind related to its actions in the case. Kroger maintained that upon learning of the breach it investigated the scope of the incident, reported the incident to the federal law enforcement authorities, and recovered the data for the settlement class members. Kroger further alleged that it continues to monitor the dark web to ensure the information is not retained or disseminated. Kroger confirmed that it is no longer using Accellion for its file transfer needs.

Result

$5,000,000 settlement